• Posts
  • RSS
  • ◂◂RSS
  • Contact

  • Why So Many Cookie Banners?

    October 9th, 2022
    privacy, tech
    Sometimes you'll see people saying things like:

    Using cookies to track state on a website, that is only used for that website, is fine. You don't need to ask for consent.—rrwo


    You don't need a cookie banner to be allowed to create cookies. You only need them if you're using them for something like tracking.—y4mi

    Something like, "as long as you design your site properly and don't abuse storage you don't need to ask your European visitors for permission." While I'm not working in this area anymore, am not a lawyer, and am not attempting to give you legal advice, if you read the regulation this interpretation is completely off.

    Cookie banners are a response to the 2002 ePrivacy Directive (full text, guidance). While the ePrivacy Directive may be superseded soon by the (pretty similar) ePrivacy Regulation, it's still the current rule. It requires you to get consent from visitors before you store information on their computer (cookies, localStorage, etc) unless this behavior is "strictly necessary in order to provide an information society service explicitly requested by the subscriber or user" [1]. This isn't "in order to" or even "necessary in order to", it's "strictly necessary in order to". Which is quite firm!

    This excludes, for example, using a cookie for basic single-site analytics (4.3), where you want to figure out where users are getting stuck on your site or to populate a "users who viewed this product ended up buying this other product" box. Even though this information helps you improve your site for future visitors, including potentially this one, it isn't 'strictly necessary' for serving this user right now.

    If the user puts an item in their shopping cart you can set a cookie, because that's how you honor their request, but it's still quite restrictive (2.3):

    a merchant could set the cookie either to persist past the end of the browser session or for a couple of hours in the future to take into account the fact that the user may accidentally close his browser and could have a reasonable expectation to recover the contents of his shopping basket when he returns to the merchant's website in the following minutes.

    Maintaining a shopping cart across days isn't "strictly necessary" and so requires explicit consent. Despite it being a useful thing users may be expecting: if I put things in my cart, don't check out, and come back the next day, I'm going to be frustrated if the site has forgotten my selections!

    Similarly, say you have a "language" dropdown or a "dark mode" checkbox". Unless you have explicitly marked the UI control with text like "uses cookies" (3.6) you can't persist this setting for future visits.

    The overall effect of this is that most sites will not be ePrivacy-compliant unless they either (a) get cookie consent from users or (b) hire a lawyer to review each of the things they do in the context of ePrivacy, and make careful changes to keep everything within the tight bounds of "strictly necessary". It's not surprising we see so many cookie banners!

    [1] Technically it's also allowed if it's "for the sole purpose of carrying out the transmission in the electronic communications network and provided that the information is not stored for any period longer than is necessary for the transmission and for traffic management purposes, and that during the period of storage the confidentiality remains guaranteed". But the "strictly necessary" criterion covers almost everything in practice.

    Comment via: facebook, lesswrong

    Recent posts on blogs I like:

    How much time and money does an additional child take?

    Some things scale, others don't. The post How much time and money does an additional child take? appeared first on Otherwise.

    via Otherwise March 19, 2023

    What does Bing Chat tell us about AI risk?

    Early signs of catastrophic risk? Yes and no.

    via Cold Takes February 28, 2023

    Why Neighborhoods Should Have Speed Bumps

    I have several reasons I think why neighborhoods should have speed bumps. First, speed bumps are very useful to stop cars from hitting people in the streets. Second, when construction workers installed speed bumps on the street in front of our house it was v…

    via Lily Wise's Blog Posts February 27, 2023

    more     (via openring)

  • Posts
  • RSS
  • ◂◂RSS
  • Contact